Can I ask for a bit of a management friendly / low tech view on an issue? Our organisation (for compliance purposes) has an annual network security health check conducted by a 3rd party pen testing firm. Our internal audit and risk team also express an interest in network security auditing. From what I gather with the external network security review - they essentially run a set of automated vulnerability scanners (i.e. Nessus) to identify weaknesses, and for proof of concept a sample of issues found are exploited using tools such as metasploit. My question is how thorough are these external reviews, or put another way – what “network security issues” wont they cover. If our internal team also want to look at network security, are there any specific areas you’d have them focus on which likely wont have been conducted by the 3rd party, or are the 3rd party assessments pretty thorough? Many Thanks

By the sounds of things, you've got to bring in qualified external testers to prove compliance with some kind of agreement (CHECK / PCI / Etc).

In my experience, those agreements have strict methology that must be followed, and so the external testers will have to conduct the testing in that method to cover themselves, before they do any 'real' testing.

So yes, they'll typically run automated tools (nmap / nessus / etc) to do the low level information finding and low hanging fruit stuff as that's required, and they won't be able to skip this stage.

Once they're through with that, it depends on how good the testers are, and how much time they've been allocated. Typically on a large network the first automated steps take a long period of time, and thus are costly, so management don't want to put in additional funding to find the 'real' issues, so the results of the test are nothing more than you could do yourself internally.

My advice would be to secure funding for the external testing to pass the contractual requirement you've got, and then secure separate additional funding to bring in the 3rd party to target specific security concerns you've got. If you don't know where your weak areas are, you've better off asking for a scenario based penetration test instead, but bare in mind this can get costly.

If this is for compliance then the scope may be very broad. Automated tools will be relied on heavily to meet the engagement schedule. The Compliance check does not specify what must be covered so things like Social Engineering are hardly ever included in-scope. The scope may not cover testing of network level security (router/switch ACLs) and it may not even cover web applications. The test may simply cover the vulnerability assessment as management may have stated they do not want systems taken down. The one thing you should not receive, however, is a print out of the Nessus scan as the final report. I've seen this come from a fairly large IT company that happens to now do Vulnerability Assessments. One major problem with the report I had was that it did not specify specific areas on a website that a finding was found. But I digress, if you have doubts on your current security measures, why not conduct your own tests? Outside testing should be used to help your find the flaws you don't know about or don't have the experience to find. They should not just be a check box on the compliance list.

3xban wrote:If this is for compliance then the scope may be very broad. Automated tools will be relied on heavily to meet the engagement schedule. The Compliance check does not specify what must be covered so things like Social Engineering are hardly ever included in-scope. The scope may not cover testing of network level security (router/switch ACLs) and it may not even cover web applications. The test may simply cover the vulnerability assessment as management may have stated they do not want systems taken down. The one thing you should not receive, however, is a print out of the Nessus scan as the final report. I've seen this come from a fairly large IT company that happens to now do Vulnerability Assessments. One major problem with the report I had was that it did not specify specific areas on a website that a finding was found. But I digress, if you have doubts on your current security measures, why not conduct your own tests? Outside testing should be used to help your find the flaws you don't know about or don't have the experience to find. They should not just be a check box on the compliance list.

Are there any useful documents and guides that detail pre-implementation best practices and post implemenation maintenance and monitoring tasks required to avoid the common vulnerabilities.